HTTPS Everywhere Introduces New Feature: Continual Ruleset Updates

Today we're proud to announce the launch of a new version of HTTPS Everywhere, 2018.4.3, which brings with it exciting new features. With this newest update, you'll receive our list of HTTPS-supporting sites more regularly, bundled as a package that is delivered to the extension on a continual basis. This means that your HTTPS-Everywhere-protected browser will have more up-to-date coverage for sites that offer HTTPS, and you'll encounter fewer sites that break due to bugs in our list of supported sites. It also means that in the future, third parties can create their own list of URL redirects for use in the extension. This could be useful, for instance, in the Tor Browser to improve the user experience for .onion URLs. This new version is the same old extension you know and love, now with a cleaner behind-the-scenes process to ensure that it's protecting you better than ever before.

How does it work?

You may be familiar with our popular browser extension, available for Firefox, Chrome, Opera, and the Tor Browser. The idea is simple: whenever a user visits a site that we know offers HTTPS, we ensure that their browser connects to that site with the security of HTTPS rather than insecure HTTP. This means that users will have the best security available, avoiding subtle attacks that can downgrade their connections and compromise their data. But knowing is half the battle. Keeping the list of sites that offer HTTPS updated is an enormous effort, comprising a collaboration between hundreds of contributors to the extension and a handful of active maintainers to craft what are known as HTTPS Everywhere's "rulesets." At the time of writing, there are over 23,000 ruleset files - each containing at least one domain name (or FQDN, like sub.example.com).

We've modified the extension to periodically check in with EFF to see if a new list is available.

Why go through all this trouble to maintain a list of sites supporting HTTPS, instead of just defaulting to HTTPS? Because a lot of sites still only offer HTTP. Without knowing that a site supports HTTPS, we'd have to try HTTPS first, and then downgrade your connection if it's not available. And for a network attacker, it's easy to fake the browser into thinking that a site does not offer HTTPS. That's why downgrading connections can be dangerous - you can fall right into the trap of an attacker. HTTPS Everywhere forces your browser to use the secure endpoint if it's on our list, thus ensuring that you'll have the highest level of security available for these sites.

Ordinarily, we'll deliver this ruleset list bundled with the extension when you install or update it. But it's a lot of work to release a new version just to deliver a new list of rulesets to you! So we've modified the extension to periodically check in with EFF to see if a new list is available. That way you'll get the newest ruleset list in a timely manner, without having to wait for a new version to be released. In order to verify that these are the authentic EFF rulesets, we've signed them so that your browser can check that they're legitimate, using the Web Crypto API. We've also made it easy for developers and third parties to publish their own rulesets, signed with their own key, and build that into a custom-made edition of HTTPS Everywhere. We've called these "update channels," and the extension is capable of digesting multiple update channels at the same time.

This is just the start

In the future, we plan to build on this feature, making it easy for users to modify the set of update channels they digest in their own HTTPS Everywhere instance. This will entail building out a nicer user experience to modify, delete, and edit update channels.

The fact is that only a small subset of the ruleset files change in a given time. So we'll also be researching how to safely deliver to your browser only the changes between one edition of the rulesets and the next. This will save you a lot of bandwidth, which is especially important in contexts where your ISP provides a slow or throttled connection.

Today, as always, we aim to better your browsing experience by protecting your data with this latest release. We're excited to use bring you these new features, just as we've been glad to keep your browsing safe ever since we launched HTTPS Everywhere in 2010.

We'd like to thank Fastly for providing the bandwidth necessary to deliver our ruleset updates.

Related Updates

Way back in 2010, we launched our popular browser extension HTTPS Everywhere as part of our effort to encrypt the web. At the time, the need for HTTPS Everywhere to protect browsing sessions was as obvious as the threats were ever-present. The threats may not be as clear now, but...

Earlier this week, Google dropped a bombshell: in March, the company discovered a “bug” in its Google+ API that allowed third-party apps to access private data from its millions of users. The company confirmed that at least 500,000 people were “potentially affected.” Google’s mishandling of data was bad...

You shouldn’t be convicted by secret evidence in a functional democracy. So when the government uses forensic software to investigate and build its case in a criminal prosecution, it should not hide that technological evidence from the defense. In an amicus brief filed today EFF urged the Ninth Circuit...

If you found yourself logged out of Facebook this morning, you were in good company. Facebook forced more than 90 million Facebook users to log out and back into their accounts Friday morning in response to a massive data breach. According to Facebook’s announcement, it detected...

Add “a phone number I never gave Facebook for targeted advertising” to the list of deceptive and invasive ways Facebook makes money off your personal information. Contrary to user expectations and Facebook representatives’ own previous statements, the company has been using contact information that users explicitly provided for security purposes—or...

The Australian government has ignored the expertise of researchers, developers, major tech companies, and civil liberties organizations by charging forward with a disastrous proposal to undermine trust and security for technology users around the world. On September 10, the Australian government closed the window for receiving feedback about its ...

Right now, the U.S. Senate is debating an issue that’s critical to our democratic future: secure elections. Hacking attacks were used to try to undermine the 2016 U.S. election, and in recent years, elections in Latin America and Ukraine were also subject to cyber attacks. It only makes sense to...

Congress has never made a law saying, "Corporations should get to decide who gets to publish truthful information about defects in their products,"— and the First Amendment wouldn't allow such a law — but that hasn't stopped corporations from conjuring one out of thin air, and then defending it as...